{
  pkgs,
  config,
  service_configs,
  username,
  lib,
  ...
}:
{
  # network namespace that is proxied through mullvad
  vpnNamespaces.wg = {
    portMappings = [
      {
        from = config.services.qbittorrent.webuiPort;
        to = config.services.qbittorrent.webuiPort;
      }
    ];

    openVPNPorts = [
      {
        port = config.services.qbittorrent.webuiPort;
        protocol = "both";
      }
    ];
  };

  services.qbittorrent = {
    enable = true;
    package = pkgs.qbittorrent-nox;
    webuiPort = service_configs.ports.torrent;

    serverConfig.LegalNotice.Accepted = true;

    serverConfig.Preferences = {
      WebUI = {
        AlternativeUIEnabled = true;
        RootFolder = "${pkgs.fetchzip {
          url = "https://github.com/VueTorrent/VueTorrent/releases/download/v2.22.0/vuetorrent.zip";
          sha256 = "UJflyTyftWSIOi942OgH/tvylyAeo6EjR14U0SHk6bs=";
        }}";

        # disable auth because we use caddy for auth
        AuthSubnetWhitelist = "0.0.0.0/0";
        AuthSubnetWhitelistEnabled = true;
      };

      Downloads = {
        SavePath = service_configs.torrent.SavePath;
        TempPath = service_configs.torrent.TempPath;
      };
    };

    serverConfig.BitTorrent = {
      Session = {
        GlobalUPSpeedLimit = 500; # in KiB/s
        GlobalDLSpeedLimit = 0;
        IgnoreLimitsOnLAN = true;

        # Including overhead in limits ruins download because download
        # uses upload to communicate with seeders
        IncludeOverheadInLimits = false;

        GlobalMaxRatio = 4;
        QueueingSystemEnabled = false; # seed all torrents all the time

        AddTrackersEnabled = true;
        AdditionalTrackers = (
          lib.concatStringsSep "\\n" [
            "udp://tracker.opentrackr.org:1337/announce"
            "udp://open.stealth.si:80/announce"
            "udp://open.demonii.com:1337"
            "udp://exodus.desync.com:6969/announce"
            "udp://tracker.dler.org:6969/announce"
            "udp://tracker.bittor.pw:1337/announce"
            "udp://tracker.torrent.eu.org:451/announce"
            # "udp://opentracker.i2p.rocks:6969/announce"
            # "udp://tracker.openbittorrent.com:6969/announce"
            # "udp://aarsen.me:6969/announce"
            "udp://explodie.org:6969/announce"
            # "udp://uploads.gamecoast.net:6969/announce"
            "http://tracker.files.fm:6969/announce"
            "udp://tracker.tiny-vps.com:6969/announce"
            "udp://p4p.arenabg.com:1337/announce"
            "udp://tracker.dler.com:6969/announce"
            "udp://inferno.demonoid.is:3391/announce"
          ]
        );
      };
    };
  };

  systemd.tmpfiles.rules = [
    "d ${config.services.qbittorrent.serverConfig.Preferences.Downloads.SavePath} 0770 ${config.services.qbittorrent.user} ${service_configs.torrent_group}"
    "d ${config.services.qbittorrent.serverConfig.Preferences.Downloads.TempPath} 0770 ${config.services.qbittorrent.user} ${service_configs.torrent_group}"
  ];

  # make qbittorrent use a vpn
  systemd.services.qbittorrent.vpnConfinement = {
    enable = true;
    vpnNamespace = "wg";
  };

  services.caddy.virtualHosts."torrent.${service_configs.https.domain}".extraConfig = ''
    # tls internal
    ${builtins.readFile ../secrets/caddy_auth}
    reverse_proxy ${service_configs.https.wg_ip}:${builtins.toString config.services.qbittorrent.webuiPort}
  '';

  users.users.${config.services.qbittorrent.user}.extraGroups = [
    service_configs.torrent_group
  ];

  users.users.${username}.extraGroups = [
    config.services.qbittorrent.group
  ];

}